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(54) Encryption and decryption devices for public-key cryptosystems and recording medium 
with their processing programs recorded thereon 



(57) In a public-key cryptosystem based on a multi- 
plicative group. n=p^q , where p and q are odd primes, 
and g, selected from (Z/nZ)* such that gp=g^'^ mod p^ 
has an order of p in (Z/p^Z)*, are made public. A plain- 
text m, a random number and n are used to calculate 
m+rn, and n and g are used to compute C=g mod 
n to generate it as ciphertext. For the ciphertext 0, C 
mod p^ is calculated, then Cp=C^^ mod p^ is calcu- 
lated to obtain (Cp-1)/p=L(Gp) . and L(Cp) is multiplied 
by a secret key L(gp)'^ mod p to obtain the plaintext m. 
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Description 

BACKGROUND OF THE INVENTION 

[0001 ] The present invention relates to encryption and decryption deuces for use in public-key cryptosystems and a 
recording medium with their processing programs recorded thereon. 

[0002] In the transmission and reception of data over a security-free communication channel, cryptosystems are used 
to guard against wiretapping. In general, cryptosystems fall into two categories: common-key cryptosystem and putilic- 
key cryptosystem. In the common-key cryptosystem, encipher and decipher keys are the same, and hence they need 
to be delivered in secrecy. Furthermore, since this technique requires as many keys as combinations of communication, 
an increase in the number of sending/receiving stations in the network inevitably causes an Increase in the number of 
keys that must be kept secret 

[0003] On the other hand, the public-key cryptosystem uses different keys as encipher and decipher keys. Even if the 
encipher key is made public, the secrecy of the decipher key could be maintained as long as its computation from the 
encipher key is infeasible in terms of computational complexity. Accordingly, no delivery of the encipher key is neces- 
sary. Moreover, since each sending/receiving station needs only to keep its own decipher key in secrecy, it is also pos- 
sible to solve the problem of the keys to be held secret That is, the public-key cryptosystem offers a solution to the 
problem of key management encountered in the common-key cryptosystem. Another advantage of the public-key cryp- 
tosystem over the common-key cryptosystem is the settlement of the problem of key delivery which is the greatest dif- 
ficulty with the latter: the former does not involve the secret key delivery. Besides, in public-key cryptosystem the same 
key is shared by the persons concerned, it is impossible to identify which person generated a ciphertext using the com- 
mon key. With the public-key cryptosystem. however, since each person has his own secret key exclusively, it is possible 
to identify the person who generated a ciphertext using the secret key. Digital signature schemes utilize this property of 
public-key cryptosystem. 

[0004] That is, the use of public-key cryptosystem permits the implementation of digital signature schemes, and 
ensures verification of the opponent of communication. It is well-known In the art that the public-key cryptosystem can 
be implemented through utilization of what Is called a trapdoor one-way function. A one-way function is one that allows 
ease in computation in one direction but makes computation in the opposite direction infeasible in terms of computa- 
tional complexity. The trapdoor one-way function mentioned herein is a one-way function with a trick "knowledge of 
some secret allows ease In computation in the opposite direction as well." The trick is called a "trapdoor." 
[0005] At present, there are known such yet-to-be-solved problems as listed below. 

(a) Integer Factorization Problem (hereinafter referred to as IFP): A problem of factoring an input composite number 

into its prime factors; 

(b) Discrete Logarithm Problem of Multiplicative Group over Finite Reld (hereinafter referred to as DLP): A problem 
of determining, for example, an Integer x in y=gx satisfying Ox < p for a given element y in a multiplicative group 
Fp*=<g> of a finite field Fp, where p is a prime; 

(c) Discrete Logarithm Problem of elliptic curves over Finite Field (hereinafter referred to as ECDLP): A problem of 
determining, for example, an integer m satisfying P=mG for a point P in a subgroup of E(Fp) generated from a point 
G in a group E(Fp) composed of the entire Fp-points on an elliptic curve def ined.over the finite field Fp. 

[0006] For the elliptic cun/e and elliptic curve cryptosystems, see. for example. Menezes, A. J.. "Elliptic Curve Public 
Key Cryptosystems," Kluwer Academic Publishers (1993) (hereinafter referred to as literature 1). The cryptosystems 
described in this literature are typical examples expected to use the one-way function. Typical and practical ones of pub- 
lic-key cryptosystems proposed at present are, for instance, the RSA cryptosystem, the Rabin cryptosystem, the EIGa- 
mal cryptosystem. and the elliptic curve cryptosystem (elliptic EIGamal cryptosystem). The RSA and Rabin 
cryptosystems are based on the intractability of IFP, the EIGamal cryptosystem is based on the intractability of DLP, and 
the elliptic curve cryptosystem is an Elgamal cryptosystem in a group of points on an elliptic curve over a finite field, 
which Is based on the intractability of ECDLP 

[0007] The RSA cryptosystem is disclosed in Rivest, R. L et al "A Method for Obtaining digital Signatures and Public- 
Key Cryptosystems," Communication of the ACM. vol. 21. pp. 120-126 (1978) (hereinafter referred to as Literature 2). 
The Rabin ayptosystem is disclosed in Rabin, M. O. "Digital signatures and Public-Key Functions as in tractable as 
Factorization." MIT, Technical Report. MIT/LSC/TR-2 12(1 979) (hereinafter referred to as Uterature 3). The EIGamai 
cryptosystem Is disclosed in EIGamal. T "A Public-Key Cryptosystem and a Signature Scheme Based on Disaete Log- 
arithms," IEEE Trans, on Information Theory, IT-31, 4. pp. 469-472 (1985) (hereinafter referred to as Literature 4). The 
elliptic curve cryptosystem was proposed by Miller, V. S. and Kolblrtz, N. separately in 1985, and this scheme is 
described in Miller. V. S. "Use of Elliptic Curves in Cryptography." Proa of Crypto '85, LCNCS 218, springer-Verlag, pp. 
41 7-426 (1 985) (hereinafter referred to as Literature 5) and in t^lblitz, n> "Elliptic Curve Cryptosystems. "Math. Comp.. 
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48. 177, pp. 203-209 (1987) (hereinafter referred to as Literature 6). 

[0008] Now, the above-mentioned ayptosystems and their properties will be described concretely. 

[0009] A description will be given first of how the RSA cryptosystem is constructed. Let p and q be odd primes and 

choose n, e and d such that they satisfy the following equations: 

n = pq 

GCD(e,LCM(p-1.q-1)) = 1 
ed = 1 (modLCM(p-1,q-1)) 

where GCD(a, b) is the greatest common divisor of integers a and b. and LCM(a, b) is the least common multiple of the 
integers a and b. 

[0010] The encryption and decryption processes E(M) and D(C) of a message M are defined by the following equa- 
tions using (n, e) as public keys and (d. p. q) as seaet keys. 

C- E(M) = M®(modn) (1) 

M = D(C) = C'*(modn) (2) 

At this time, if M satisfies OMn-1. then the following equation holds. 

D(E(M)) = M (3) 

[001 1 ] The Rabin cryptosystem is constructed as follows: Choose p, q and n in the same manner as in the above, and 
determine the integer b which satisfies Obn. The encryption process E(M) and the description process D(c) are defined 
by the following equations using (n. b) as public keys and (p. q) as secret keys. 

C = E(M) - M(M4b) (mod n) (4) 

M- D{C) « (-b±(b^44C)^'^)/2(modp) (5) 
-(-b±(b^+4C)n>2(modq) 

The Rabin cryptosystem involves solving simultaneous equations in deayption, but since the quadratic equation pos- 
sesses two solutions, the calculation in this case brings about four solutions, giving rise to a problem that the decryption 
cannot uniquely be performed under the above conditions. This can be settled as a problem of system operation by 
using some additional information for communication; and the Rabin cryptosystem has also been improved for unique 
description. This is described in Kaoru Krosawa et aL, "Public-Key Cryptosystems Using Reciprocals which are as 
Intractable as Factoring," Journal of lEICE, Vol. J70-A. No. 11, pp. 1632-1636 (1987) (hereinafter referred as to Litera- 
ture 7). 

[0012] The EIGamal cryptosystem is constructed as follows: Let p be a prime. Choose g as one generating element 
of a modular-p reduced residue class group (Z/p2)*, that is. as an element of the order p. Choose an integer x such that 
0<x<p, and set ygx (mod p). The encryption process E(M) and the decryption process D(C) are defined by the following 
equations using (y. g. p) as public keys and x as a secret key. 

C = (C,.C2) = E(f^) (6) 

c'=g'(modp) (7) 

C^«y'M(modp) (8) 

M-D(C)C2/G/modp (9) 

where r is an arbitrary integer such that 0<r<p, which is chosen fa each encryption 
[001 3] If M is 0<M<p, then the following equation holds. 

M»D(E(M)) (10) 
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[001 4] The elliptic curve ayptosystem (elliptic EIGamal cryptosystem) is constructed as follows: Let p be a prime and 
define the elliptic curve over a finite field Fp as follows: 

E(a, b):y^ =x^ + ax + b 

5 

where a, be Fp. and 4a^ + 27b^ ^ 0 

Choose an Fp-rational point G on the elliptic curve such that its order q has a sufficiently large prime as the divisor. 
Choose an arbitrary integer x such that 0<x<q, and let PsxG by addition on the elliptic curve E(a, b). Then, the enayp- 
tion process E(M) and the decryption process D(C) are defined by the following equations using {p, E(a, b). G. P, q} as 
10 public keys and x as a secret key. 



15 



C = (C^.C2) = E(M) 
Ci =rGi 
C2 = rP + M 
M = D(C) = (Cg-xC i): x-cordinate 



(11) 
(12) 

(13) 
(14) 



20 where r is an arbitrary integer which satisfies 0<r<q, and is chosen for each encryption and rP+M is the sum, on the 
elliptic curve, of a point which has M on the X-coordinate and a point rp on the elliptic cun/e. In general, it is not known 
whether there is always present on a given elliptic curve tiie point which has M on the X-Coordinate (In tills case, tiie 
point exists with a probability of 1/2). If a rule common to systems is established to add redundant information to M to 
some extent, it will be possible to always obtain the point which has, on the X-coordinate, M added witii redundant infor- 
ms mation. 

[0015] Next, a description will be given of the computational complexity of each cryptosystem mentioned above. As 
regards the RSA cryptosystem. it is well-known tiiat the computational complexities for both of ttie encryption and tiie 
decryption are on tiie order of k^, where k is the number of bits of the public key n. In the Rabin cryptosystem, the com- 
putational complexity is on the order of k^ for encryption and on the order of 1^ for description. In tills case, too. k rep- 

30 resents the number of bits of the public key n. 

[001 6] In the EIGamal cryptosystem, the computational complexity is on tiie order of k^ for each of the encryption and 
the decryption, where k represents the number of bits of tiie prime p used as the public key. 
[0017] The computational complexities of tiie above cryptosystems do not so much differ in terms of order, but it is 
evident tiiat when they are implemented, their computational complexities will much differ. Actually it is well-known that 

35 the addition on tiie elliptic curve takes time about ten times longer than does multiplication in tiie finite field over which 
the elliptic curve is defined. 

[0018] Next, the security of the above cryptosystems will be described. 

[0019] Since the cryptosystems are intended to send messages in the form of ciphertexts to conceal the message 
contents from adversaries (wiretappers), it is of importance the extent to which the message contents are concealed. 

40 That is, the intractability of cryptoanalysis falls into full or complete analysis or decryption (means that the original plain- 
text is fully decrypted from tiie ciphertext) and fractional analysis (which means tiiat fractional information of tiie plain- 
text Is decrypted from tiie ciphertext). Attacks on tiie public-key cryptosystems are divided into two types: (a) passive 
attacks which merely receive an enaypted message and try to decrypt or analyze its contents only from tiie received 
information, and (b) active attacks which are allowed to send various challenges or questions (in ciphertext form) to the 

45 sending party and receive responses thereto (tiie results of decryption of tiie ciphertext) and analyze or decrypt the 
aimed ciphertext based on the information received from the sending party Of the active attacks, an adaptive chosen 
ciphertext attack (an attack that the cryptoanalyst causes his arbitrarily chosen ciphertext to be decrypted by the ti-ue 
receiving part and tiien decrypts another ciphertext tiirough utilization of the thus obtained information and public infor- 
mation is the most powerful. 

50 [0020] Now. the security of the typical public-key cryptosystems will be desaibed based on the classifications referred 
to above. In tiie cryptosystems based on the inti^actability of tiie IF (Integer Factoring) problem, such as the RSA and 
Rabin cryptosystems. if the public key n can be factored, then the primes p and q which constitute tfie secret key can 
be detected and the least common multiple LCM(p-1, q-1) can be computed, by which the secret key d is obtained. 
Hence, these cryptosystems are subject to full or complete analysis. It has been proven that the computation of LCM(p- 

55 1, q-1) solely from n is equivalent to tiie factoring of the latter. TTiat is, LCM,(p-1. q-1) cannot be obtained unless the 
primes p and q are known. 

[0021 ] TTie RSA cryptosystem may be completely be analyzed by a method otiier tiian that of factoring tiie public key 
n into a prime factor, but it has been proven tiiat only tiie factoring of tiie public key n is effective in complete analysis 
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of the Rabin cryptosystem. That is, although it is still unknown whether the analysis of the RSA cryptosystem is equiv- 
alent to solving the IF problem, it has been proved that connplete analysis of the Rabin cryptosystem is equivalent to 
solving the IF problem. The same Is true of an inverse version of the Rabin cryptosystem. This finding on the Rabin 
cryptosystem has demonstrated for the first time that a certain kind of security of the cryptosystem can be proved by 

5 the assumption of the intractability of a basic problem (the IF problem in this case). Tliis means that the security of 
above-described public-key cryptosystems against the passive attacks has been proved on the assumption of the 
intractability of the IF problem. Conversely, this is a proof that the Rabin cryptosystem is weak against the active 
attacks. An efficient cryptosystem, which is secure against the chosen ciphertext attack, is disclosed, for exanple. in 
Bellare et al., "Optimal Asymmetric Encryption." Proc. of Eurocrypt 194, LCNCS 950, Springer-Verlag, pp. 92-111, 

10 1 995 (hereinafter referred to as Literature 8). 

[0022] As regards fractional or partial cryptoanalysis, it has been proved on the RSA and Rabin cryptosystem that the 
computation of the least significant bit of the plaintext M from the ciphertext is as difficult as the computation of the 
whole plaintext M from the ciphertext C. It has also been proved that the portion of the plaintext con^esponding to log k 
bits continuing from its least significant bit possesses similar security. This is described in Alexi, W. et al.. *'RSA and 

15 Rabin functions: certain parts Are as Hard as the Whole," SI AM Journal of computing, 1 7, 2, pp. 449-457 (1 988) (here- 
inafter referred to as Literature 9). 

[00231 The EIGamal cryptosystem is based on the intractability of DLP (the discrete logarithm problem) : hence, if DLP 
can be solved, then the secret key x is available from the public key (y, g. p). permitting the analysis of the ayptosystem. 
However, it has not been proved whether the analysis of the EIGamal cryptosystem is as hard es LDP As for the elliptic 
20 cryptosystem. too, it has not been proved whether its analysis Is as hard as ECDLP (the problem of the discrete loga- 
rithm on the elliptic curve). 

[0024] As described above, the public-key cryptosystems solves the key management problem raised in the conven- 
tional common-key cryptosystem. and permit implementation of digital signature schemes. However, the public-key 

cryptosystems, for which a certain kind of security can t>e proved by assuming the intractability of the basic problem are 
25 limited only to the Rain cryptosystem and its modifications. That is. actually usable one-way functions are only IFP. DLP 
and ECDLP. No provably secure public-key cryptosystem has been implemented which uses a new "trapdoor" based 
on such a known one-way function. 

SUMMARY OF THE INVENTION . 

30 

[0025] It is therefore an object of the present invention to provide encryption and decryption devices for public-key 
cryptosystems which use IFP as a one-way function but uses a new "trapdoor" and which can be proved to be secure 
against passive adversaries based on the assumption that IFP is intractable. 

[0026] Another object of the present invention is to provide a recording medium on which there are recorded encryp- 
35 tlon and decryption programs of the encryption and decryption devices for public-key cryptosystems. 

[0027] The encryption device according to the present invention comprises: exponent generation means for combin- 
ing an input plaintext m and a random number r to generate an exponent: and exponentiating means for generating a 
ciphertext by exponentiating a second public key g with the exponent In a modutar-n reduced residue class group, 
where n Is a first public key which is a composite number. 
40 [0028] The decryption device according to the present invention comprises: r-transform means for transforming an 
input ciphertext. by using a first secret key, to an element Cp of a modular-n reduced residue class group, where n is 
the first public key which is a composite number; and discrete logarithm solution means for solving a discrete logarithm 
in the transformed element Cp through the use of a second secret key. 

45 . BRIEF DESCRIPTION OF THE DRAWINGS 

[0029] 

Fig, 1 is a block diagram illustrating the functional configuration of an embodiment of each of encryption and 
50 decryption devices in a "public-key cryptosystem based on a multiplicative group" according to the present inven- 
tion; 

Fig. 2A Is a block diagram depicting a concrete example of the functional configuration of an exponent generation 

part 110 in Fig. 1; 

Fig. 2B is a block diagram depicting a concrete example of the functional configuration of a r-transform part 210 in 
55 Fig. 1; 

Fig. 3 is a block diagram illustrating the functional configuration of "modification 1 of the public-key cryptosystem 
based on the multiplicative group" employing other embodiments of the encryption and encryption devices accord- 
ing to the present invention; 
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Fig. 4 Is a block diagram depicting a concrete example of the functional configuration of an exponent generation 
part 110 in Fig. 3; 

Rg. 5 is a block diagram depicting a concrete example of a r-translbrm part 210 In Fig. 3; 
Fig. 6 is a block diagram depicting a concrete example of the functional configuration of a discrete logarithm sdu- 
5 tion part 220 in Fig. 3; 

Fig. 7 is a block diagram depicting a concrete example of an exponent generation part in a modification 2 of the 
encryption device according to the present invention; 

Fig. 8 Is a block diagram illustrating the functional configuration of each of embodiments of encryption and decryp- 
tion devices in a "public-key cryptosystem based on elliptic curves" according to the present Invention; 
10 Fig. 9A is a block diagram depicting a concrete example of the functional configuration of an exponent generation 
part 41 Gin Fig. 8; 

Fig. 9B is a block diagram depicting a concrete example of the functional configuration of an SSA algorithm part 
520 In Fig. 8; 

Fig. 10 is a block diagram illustrating the configuration for performing encryption and decryption through execution 
15 of operation programs stored on a recording medium; and 

Fig. 1 1 is a table which gives a comparison in performance between conventional public-key cryptosystems and the 
public-key cryptosytem of the present invention. 

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS 

20 

[0030] It is known that the discrete logarithm problem in a p-Sylow subgroup of a certain group can be solved with 
high efficiency. The p-Sylow subgroup herein mentioned is that one of subsets of, for example, a finite group H whose 
order Is the highest power of p among the subgroups. The present invention provides a novel public-key cryptosystem 
for which a certain level of security can be proved, through utilization of highly efficient solvability of the discrete loga- 

25 rithm problem in the p-Sylow subgroup of a specific finite group. 

[0031 ] More specifically, the present invention offers two kinds of public-key cryptosystem: (a) a public-key cryptosys- 
tem which is constructed on a modular-n reduced residue class group (Z/nZ)*, where n=p^q, p and q being primes; and 
(b) a public-key cryptosystem which Is constructed on an elliptic curve Ep defined on a modular-n reduced residue class 
group Z/nZ, where n=pq. The former will hereinafter be called a "public-key cryptosystem based on a multiplicative 

30 group" and the latter a "public-key cryptosystem based on an elliptic curve." 

Public-Key Cryptosystem Based on Multiplicative Group 
(Principle) 

35 

[0032] In a modular-p^ reduced residue class group (Z/nZ)* mod p2. where p is an odd prime, its p-Sylow subgroup 
r, which is a subgroup with order p. can be written as follows: 

r = {x e (2/9^2)* |x - 1(mod p)} (15) 

40 

The discrete logarithm problem over (Z/p2Z)* is commonly believed to be still a very difficult problem, and no efficient 
algorithm for solving It has been discovered. However, the discrete logarithm problem In the p-Sylow subgroup r (here- 
inafter referred to merely as a subgroup r) can be solved with high efficiency. Now, conskJer the following function 
defined over the subgroup r. 

45 

L(x) = (x-1)/fD.X6r (16) 

This function is an Fp-valued function. For arbitrary values a and b. this function L holds as follows: 

50 L(ab) = L(a) + L(b) mod p (17) 

tt will also be seen that this function L provides an isomorphism as a group of the subgroup r to tiie finite f ieki Fp. It will 
readily be understood that the computational quantity of ttie subgroup r Is on tiie order k^ where k Is the number of bits 
of p. Accordingly, the discrete logarithm problem In the subgroup r. that is, a problem of calculating m from x and y, 
55 where xeF, 0<m<p and y=x^, can be effkjientiy solved for the reason given below. From Eq. (17) 

L(y) = L(x "*) = mL(x) mod p (18) 
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So, if L(x) ^ 0 mod p, then the value m is given by 

m = L{y)/L(x) mod p (19) 

The computational complexity for computing m from x and y is on the order of k^. where k is the number of bits of p. 
[0033] Through utilization of this property, it is possible to construct a novel "trapdoor" and hence a novel public-key 
cryptosystem. 

FIRST EMBODIMENT 

[0034] The public-key cryptosystem based on the multiplicative group according to the present invention will be 
described below as being applied to a public-key cryptosystem which is constructed on a modular-n reduced residue 
class group (Z/nZ)*. where n=p2q, p and q being primes. From the Chinese remainder theorem (for example. Okamoto 
and yannamoto, "Modern Cryptography," pp.15. Sangyo Tosho (1997) (hereinafter refen-ed to as Literature 12). the fol- 
lowing equations hold: 

(Z/nZ)* - (Z/p ^Z)* X (Z/qZ)* (20) 

- r X [z/pzy X {zjqzy (21) 

Therefore, the "public-key cryptosystem based on the multiplicative group" is defined as described below. Determine g 
in gG(Z/nZ)* such that g p=g ^'^ mod p ^ gF satisfies L(gp>?iO mod p, and let n, g, k be public keys, where k is the num- 
bers of bits of primes p and q. Assuming that the plaintext m is a natural number chosen in the range of 0^m<2'^'^ , r is 
arbitrarily selected from Z/nZ and the encryption is defined by 

C = g"^'"modn (22) 

In the case of decryption, if C can be transformed to the element of r, then a person who knows the prime factor p of n 
can efficiently compute the discrete logarithm by using the function L defined by Eq. (16). Since m Is in the range of 
0<m<2^'''' it is uniquely determined under mod p; hence, the decryption can efficiently be performed. In the transforma- 
tion of C to the element of r, if 

Cp = C'^^modp^ (23) 

then Cp€r. This means that Cp given by Eq. (23) is contained in the subgroup with order p given by Eq. (15). And. it 
can be proved that the analysis of the public-key cryptosystem is equivalent to factoring of the public key n, that is, 
equivalent to IFR 

[0035] In the "public-key cryptosystem based on the multiplicative group" according to the present invention.the 
encryption device comprises an exponent generation part which combines a plaintext and a random number to gener- 
ate an exponent part for a modular-n exponentiation, and an n-exponentiator for performing a modular-n exponentia- 
tion. A ciphertext generated by the n-exponentiator is provided onto a communication line, for instance. On the other 
hand, the decryption device comprises a r-transformation part for performing a p-1 exponentiation modulo p^. and a 
discrete logarithm solution part for solving a discrete logarithm problem in a subgroup r to decrypt the ciphertext. 

Embodiments of Public-Key Cryptosystem Based on Multiplicative Group 

[0036] A description will be given first of the basic functional configuration of the "public-key cryptosystem based on 
the multiplicative group" according to the present invention and then of embodiments of each part thereof. 

(Key Generation) 

[0037] Let odd primes p and q be chosen arbitrarily and n=p^q be set, where the odd primes p and q are assumed 
to have the same number k of bits. ^ 

[0038] Further, g is selected from (Z/nZ)* such that g p=g ^' mod p has the order p in {2Jp^Z)\ which constitutes 
the p-Sylow subgroup r. Then. L(gp)^ mod p holds with the afore-mentioned function L Actually, the value with order 
p in (Z/lp^z)* can be expressed by 1+kp mod p^ (where k is indivisible), and hence L(1+kp)«[(l4i^p)- 1]A)=k*0 mod p . 
More specifically, when g is selected from (Z/riZ)* randomly, the probability of L{g^^ mod p is considered to be around 
1 -(1 A>): therefore, g can be chosen with non-negligft)le probability. A user cannot publish L(gp)'^ mod p but precalculates 
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25 



it as one of system parameters. 

[0039] Accordingly, (n, g, k) is used as public keys and (p, q) as seaet keys. In this case, L(q^'^ mod p may also be 
considered as a secret key. 

5 (Encryption Process > 

[0040] For the plaintext m (where 0^<2^'\ a random number r is selected in the range of 0^<n. then m+rn is cal- 
culated, and the ciphertext C is computed as follows: 

10 C=g'"*'"modn (24) 

(Decryption Process) 

[0041] By raising either side of the ciphertext C defining equation (24) to the (p-1)th power, a congruence equation 
15 with mod n holds with mod p^ as well. The order of gp mod p^ is p and rn is a multiple of p; so, g p ^"=1 . Hence, 

^(p-i)(m.m) . gp - X gp ^" mod p' = gp mod p^ (25) 

Therefore, setting 

Cp-CP-'modp' (26) 

then 

Cp=gp"'modp' (27) 
Since Cp gpGF. the use of the function L defined by Eq. (16) gives 

L(Cp) = L(gp'") = mL(gp)modp (28) 
that is, 

m = L(Cp)/L(gp)modp (29) 

35 Thus, the ciphertext can be decrypted. 

[0042] With the above decryption procedure, the ciphertext C is deaypted by first calculating Cp with Eq. (26). then 
calculating L(C p)=(C p-1 )/p . and finally performing a modular-p multiplication of L(Cp) and precalculatable L(g^'^ mod 
p. 

40 (Proof of Security) 

[0043] Now, it will be proved that the "public-key cryptosystem based on the multiplicative group" is secure against 
passive adversaries or attacks, by proving that the analysis of the cryptosystem is equivalent to the factorization of n. 
[0044] If an algorithm is available which factorizes n with non-negligib le probability, it is possible to construct a prob- 
45 abilistic polynomial time algorithm for analyzing the "public-key cryptosystem based on the multiplicative group," Hence, 
only the following fact will be proved in this Instance. 

"If an algorithm A is available which analyzes the *public-key cryptosystem' with non-negligible probability, then It is 
possible to construct a probabilistic polynomial time algorithm for factoring." 

50 

[0045] What is intended to mean by the "algorithm for facotring n with non-negligible probability" is an algorithm which 
ensures factoring of n by repeatedly applying the algorithm on the order of a polynomial using the number of bits of the 
input n as a variable. The same holds true in the following description (see literature 12 for its strict definition). 
[0046] Now, given a composite number n (=p^). ge(Z/n2)* randomly selected can be used as a parameter of the 
55 public-key ayptosystem of the present invention with non-negligible probability. Next, it is possible to prove that the dif- 
ference between the distribution of x mod p LCM(p-l, q-1), ¥vhere x is randomly selected from ZJnZ, and the distribution 
of m+rn mod p LCM(p-1. q-1) for m+rn. which appears in the encryption procedure of the public-key cryptosystem 
according to the present invention is negligible. For this reason, the algorithm A recognizes that C calculated by C-g^ 



30 
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mod n. where x is randomly selected from Z/nZ. is a dphertext with non-negligible probability, and the algorithm A out- 
puts a plaintext Xq corresponding to C. Now, since the probability that x is a number in the range of x<S^'^ is negligible, 
it may be set such that x ^ 2*^'^ with non-negligible probability. In this case. x-Xq (nruxJ p) does not hold, and x^x^ (mod 
n) does not hold because of Xo<2*^ Accordingly, if GCD(x-xo. n) is calculated, it value becomes any one of p. pq and 
5 p^, permitting factoring of n. Thus, it is possible to factor n in a time on the order of probabilistic polynomial using its bit 
number as a variable. In other words, the analysis of the public-key cryptosystem of the present invention Is equivalent 
to factoring of n-this proves that the cryptosystem is secure against passive adversaries. 

(Concrete Example) 

10 

[0047] Next, a description will be given of a concrete example of the "public-key cryptosystem based on the multipli- 
cative group" according to the present invention. As illustrated in Fig. 1, an encryption device 100 and a deayption 
device 200 are connected via a communication line 300. The encryption device 100 comprises an exponent generation 
part 110. a modular-n exponentiator 120. a storage part 130 for storing predetermined values u and g, and a control 

is part 140 for controlling operations of these parts. The decryption device 200 comprises a r-transform part 210. a dis- 
crete logarithm solution part 220, a storage part 230 and a control part 240 for controlling operations of these parts. 
[00481 In the first place, the encryption process in the encryption device 100 will be described below. A detailed con- 
figuration of the exponent generation part 110 in the encryption device 100 is depicted in Fig. 2A. Upon receiving a 
plaintext (m) from a user of the encryption device 100, the exponent generation part 110 generates a random number 

20 reZ/nZby a random generator 111, and inputs the random number r into a multiplier 112. The multiplier 112 multiplies 
the random number r by the value n read out of the storage part 130. and provides the multiplied value rn to an adder 
1 13. The adder 113 adds the plaintext m and the rriultiplied value rn, and provides the addition result m+rn to the mod- 
ular-n exponentiator 120. The exponentiator 120 uses the values n and g read out of the storage part 130 to generate 
a dphertext C=g mod n corresponding to the value nrnrn. 

25 [0049] Next, the decryption process in the decryption device 200 will be described below. A detailed configuration of 
the r-transform part 210 in the decryption device 200 is depicted in Fig. 2A. A detailed configuration of the discrete log- 
arithm solution part 220 is depicted in Fig. 2C. Upon receiving the ciphertexl C from the communication line 300. the r- 
transform part 210 in the decryption device 200 calculates mod p^ in a mod p^-reducer 21 1 using a value p^ read out 
of the storage part 230. and inputs the value mod p^ into a r-transformer 212. The r-transformer 212 computes 

30 Cp=C^"^ mod p^ using p^ and p read out of the storage part 230. and provides the value Cpto the discrete logarithm 
solution part 220. The discrete logarithm solution part 220 provides the value Cp from the r-transform part 2 1 0 to a log- 
arithm calculator 221 . which calculates L(Cp) by Eq, (16) using the value p read out of the storage part 230. The value 
L(Cp) is input into a muttiplier 222, which calculates L(C p) xL(g p) mod p using L(gp)"^ mod p read out of the storage 
part 230. The discrete logarithm solution part 220 outputs the thus obtained value as a decrypted plaintext m. 

35 [0050] The encryption procedure by the encryption device 100 may be implemented by recording the procedure as 
an operation program on a recording medium and reading it out for execution by a computer. Similarly, the decryption 
procedure by the decryption device 200 may be implemented by executing an operation program read out of a record- 
ing medium. 

40 Modification of First Embodiment 

[0051] In the above-described embodiment, as will be seen from its representation, the dphertext is a directly 
encrypted version of the plaintext m in the raw, as expressed by C=g mod n , and it is not proved to be secure 
against passive adversaries. A description will be given of embodiments of an encryption device which are improved in 

45 this respect from the Fig. 1 emtxxjiment and can be proved to be secure against passive adversaries. 

[0052] In an embodiment (Modified Embodiment 1) of such modifications the number of bits of the plaintext m is set 
at ko (where ko<k ) and the value ko is made public. Furthermore, the number of bits of the random number r is set at 
k-ko-1 . then a bit-string concatenation of m and r is represented by m||r. which is made M=m||r. Then. M satisfies 
0^M<2'^ V Moreover, a hash function is used to obtain R=h(M). where Re(Z/nZ). 

50 [0053] At this time, the encryption is defined as follows: 

C=:g^*""modn (30) 

The decryption is performed in exactly the same manner as described above, by which M is obtained, and in this 
55 instance, high-order ko bits can be obtained as the plaintext. As is the case with the above, the thus modified ciphertext 
can be proved to be secure against passive attacks, and by assuming that the hash function h is the random number, 
it can also be proved that the ciphertext is secure against chosen ciphertext attacks. For details about this, see Litera- 
ture 8. 
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[0054] In another modification (Modified Emtxxiiment 2), letting ttie plaintext and the nunnber of its bits be represented 
by m and ko as in the above. R-h{m) is set. In this case, let the nuniber of bits of R be represented by K-Kq-I, and set 
M^m||R. Furthermore, the random number rEZn, and the encryption process is defined as follows: 

C = g^*'"modn (31) 

The decryption is performed in exactly the same manner as in the above, by which M is obtained, and in this case, high- 
order Kq bits of M can be obtained as the plaintext. The security of this modified emtxxiiment will be understood from 
the afore-mentioned proof of security and by reference to Literature 8. 

Concrete Examples of Modified Embodiments 

[0055] A description will be given first of procedures involved in the ayptosystems according to Modified Embodi- 
ments 1 and 2. 

(Key Generation) 



[0056] Modified Embodiments 1 and 2 are common in the method of key generation. Let the odd primes p and q be 
selected arbitrarily, and n^p^q. The odd primes p and q have the same number of bits, which is represented by k. 

20 Assume that they satisfy GCD(p-1 , q1)=1 . Furthermore, ko (where ko<k ) is also predetermined. Further, g is selected 
from (Z/nZ)* such that gp=g'^' mod p^ has the order p in (Z/p^Z)*, By this. L{Qp)^0 mod p holds with the function L 
defined by Eq. (16). Actually, the value with order p in {ZJp^Z)* can be expressed by 1 +kp mod p^ (where k is indivisible), 
and hence L(1+kp)=[(1+kp)-1]/p=k9t0 mod p . More specifically, when g is selected from (Z/nZ)* randomly, the proba- 
bility of L(gp)?^ mod p is considered to be around 1-(1/p): therefore, g can be chosen with non-negligible probability. A 

25 user cannot publish L(gp)"^ mod p but precalculates it as one of system parameters. Let h be a hash function, (n, g, k, 
ko. h) be public keys and (p, q) be secret keys. In this instance, L(gp)'^ mod p may also be regarded as a secret key. 

(Encryption Process of Modified Embodiment 1 > 

30 [0057] For the plaintext m. the function h is used to obtain M=m||h(m). and the random number r is chosen in the range 
of 0^r<n. The ciphertext G is computed as follows: 

C=g^*"'modn (32) 

35 (Encryption Process of Modified Embodiment 2 ) 

[0058] For the plaintext m, the random number r (of k-Ko-1 bits) is generated to obtain M=m||r, and the hash function 
h is used to obtain R=h(M). The ciphertext C is computed as follows: 

40 C = g^*""modn (33) 

(Decryption Process of Modified Embodiment 1 ) 

[0059] By raising either side of the ciphertext C defining equation (32) to the (p-l)th order, the congruence expression 
45 with mod n holds with mod p^ as well. The order of gp mod p^ is p. and rn is a multiple of p; so, gp ^"=1 . Hence. 

C P- 1 ^ g (P-i)(M-m) = g p M X g p mod p ' = g p ^ mod p ' (34) 

Therefore, setting 

50 

Cp = CP'^modp^ (35) 

then 

55 Cp^gp^'modp^ (36) 

Since Cp, g^er, the use of the function L defined by Eq. (16) gives 
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L(Cp) = L{gp^) = MUgp)modp (37) 

that is. 

5 M = MCp)/L(gp)modp (38) 

Thus, the plaintext m can be obtained from the high-order Kq bits of M and thus decrypted. 
(Decryption Process of Modified Embodiment 2) 

10 

[0060] Since the decryption process of Modified Embodiment 2 is basically identical with that of Modified Embodiment 
2, reference is made to Figs. 3. 5 and 6. By raising either side of the ciphertext C defining equation (32) to the (p-l)th 
order, the congruence expression with mod n holds with mod p^ as well. The order of g'' mod p^ is p, and rn Is a multiple 
of p; so, gp ""=1 . Hence, 

IS 

C =g =gp xgp modp =gp modp 

Accordingly. M can similarly be computed by Eqs. (35). (36). (37) and (38), and the plaintext m can be obtained from 
the high-order Kq bits of M and thus decrypted. 

20 

(Concrete Examples) 

[0061] A description will be given, with reference to Figs. 3 and 4. of Modified Embodiment 1 of the public-key cryp- 
tosystem based on the multiplicative group. In Figs. 3 and 4 the parts corresponding to those In Figs. 1 and 2 are iden- 

25 tified by the same reference numerals. The encryption device 100 and the decryption device 200 are connected via the 
communication line 300. The encryption device 100 comprises the exponent generation part 110, the modularm expo- 
nentiator 1 20, the storage part 1 30. and the control part 1 40. The decryption device 200 comprises the r-transform part 
21 0, the discrete logarithm solution part 220. the storage part 230 and the control part 240. 
[0062] in Fig. 4 there is depicted a detailed configuration of the exponent generation part 1 1 0 in the encryption device 

30 100, Upon receiving the plaintext m from the user of the encryption device 100. the exponent generation part 1 10 gen- 
erates a random number reZ/nZ by the random generator 111, then reads out the public key n from the storage part 
230. and inputs the random number r and the public key n into the multiplier 1 12 to compute rn. At the same time, an 
h-f unction operator 1 14 Inputs thereinto m as a variable and outputs h(m). The output h(m) and the plaintext m are input 
into a bit concatenator 115, which outputs M=m||h(m). M and rn are provided to the adder 1 1 3 to calculate M+rn. which 

35 is input into the modular-n exponentiator 1 20 in Fig. 3 to generate the ciphertext C=g mod n .. The control part 140 
effects sequential control of the respective parts and readout control of the storage part 130. 
[0063] Next, the decryption process in the decryption device 200 will be described below. In Fig. 5 there is depicted 
a detailed configuration of the r-transform part 210 In the decryption device 200. In Fig. 6 there is depicted a detailed 
configuration of the discrete logarithm solution part 220. In Figs. 5 and 6 the parts corresponding to those in Figs. 2B 

40 and C are identified by the same reference numerals as those in the latter. In the storage part 230 in Fig. 3 there are 
prestored p^, p and L(gp)*^ mod p precaiculated from the secret key p and the public key g. Upon receiving the cipher- 
text C from the communication line 300. the r-transfbrm part 210 in the decryption device 200 reads out p^ and p from 
the storage part 230. and inputs p^ and the ciphertext C into the mod p^-reducer 21 1 to calculate C mod p^. which is 
input into a r-transformer 212. The r-transformer 21 2 calculates C p^C ^'^ mod p ^ . and provides the calculation result 

45 Cp to the disaete logarithm solution part 220. 

[0064] The discrete logarithm solution part 220 provides the value Cp from the r-transform part 210 to the logarithm 
calculator 221, which calculates L(Cp). The value L(Cp) and L(gp)-1 mod p read out of the storage part 230 are input 
into the multiplier 222, which calculates M=L(C p)xL(g p) ^ mod p . The value M and read out of the storage part 230 
are provided to a bit separator 223 to extract the high-order ko bits of the value M, and this value is output as the 

50 decrypted plaintext m from the disaete logarithm solution part 220. The sequential control of the respective parts and 
the readout control of the storage part 230 are effected by the control part 240. It is also possible to store only p and g 
In the storage part 230 and obtain p^ and L(gp)'^ mod p through calculation. 

[0065] Next, a description will be given of Modified Embodiment 2 of the public-key cryptosystem in the multiplicative 
group. The basic configuration of this embodiment is identical with the Fig. 3 ennbodiment except that the exponent gen- 
55 eration part 110 has such a configuration as depicted in Fig. 7. Upon receiving the plaintext m from the user of the 
encryption device 100, the exponent generation part 1 10 generates a random number r (whose number of bits is k-l^- 
1 ) by a random generator 411. then inputs the random number r and n into a bit concatenator 41 5 to obtain M=m||r, and 
inputs it into an h-function operator 414 to obtain R=h(m). The output R and n are fed into a multiplier 412 to obtain Rn. 
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The outputs Rn and M are provided to an adder 413 to obtain M+Rn. This addition result is fed into the modular-n expo- 
nentiator 120 to generate the ciphertext C=g "^^^^ nnod n . 

[0066] The deayption procedure by the deayption device in this case is the same as in the case of the decryption 
device 200 of Modified Embodiment 1. 
5 [0067] In Modified Embodiments 1 and 2 depicted in Figs. 3 to 6. too» the encryption and deayption procedures may 
be stored as computer programs on a recording medium and read out therefrom for execution as required. 



SECOND EMBODIMENT 



10 [0068] The first embodiment has been described to construct the public-key cryptosystem on the modular-n reduced 
residue class group (Z/nZ)* where n=p^q . A public-key cryptosystem. which is constructed on an elliptic curve En 
defined over a modular-n ring Z/nZ where n=pq, will hereinafter be referred to as a public-key cryptosystem based on 
an elliptic cun/e, which will be described below. In this instance, too. determine two primes p and q such that n^pq, and 
assume that elliptic curves Ep and E^ over Fp and Fq are given as follows: 

15 

Ep:y' = x^ + apX + bp (39) 

where ap. bpeFp and 4a p ^+27bp ^ ^0 
20 Eq:y^=x%aqX + bq (40) 

where aq. bqeFq and 4a q ^+ 27b q ^ ^0 

[0069] By the Chinese remainder theorem, a and b such that a-ap mod p. b=bp mod p, a=aq- mod q and b-bq wo6 
q are determined uniquely with mod n, and an elliptic cun^e defined over Z/nZ Is obtained as follows: 

25 

E^iy^ =x^-Hax + b (41) 

where a. bcZ/nZ and GCD(4a^+27b2. n)=1 

In the following description, unless othenftfise specified, elliptic curves which are obtained by the Chinese remainder 
30 theorem as described above will be expressed by such an equation as follows: 

En = [Ep. Eq], a = [ap. aj. b = [bp. bq] (42) 

When it is particularly desirable to emphasize moduli, such elliptic curves will also be expressed as follows: 

35 

En = [Epmodp.Eqmodq] (43) 

[0070] An elliptic curve over the finite field Fp. which has order p, will hereinafter referred to as an anomalous elliptic 
curve. It is described in Jounal Takakazu Satoh et al., "Fermat Quotients and the Polynomial Time Discrete Log Algo- 
40 rithm for Anomalous Elliptic Curves." COMMENTARII MATHEMATICI UNIVERSITATIS SANCTI PAULI. Vol 47. No. 1 
1998 (hereinafter referred to as Literature 1 1) that the discrete logarithm problem on the anomalous elliptic curve can 
be computed with high efficiency. An algorithm for solving the discrete logarithm problem on the anomalous elliptic 
curve will hereinafter be referred to as an SSA algorithm. 

[0071] Now. let Ep be anomalous elliptic curve and Eq a non-anomalous elliptic curve. As is the case with the above- 
45 described "public-key cryptosystem based on the multiplicative group." n, En, the point G on En(Z/nZ) and k are pub- 
lished as a public key In this instance, however, the point G is set at a value of sufficiently higher order (for example, 
equal to n in the number of bits), and k represents the numbers of bits of the primes p and q. Letting the plaintext be 
selected in the range of 0<m<2'^'^ ^ r Is arbitrarily selected from Z/nZ. and the encryption Is defined by the following equa- 
tion: 

50 

C = (m+rn)G g E „ (Z/nZ) (44) 



[0072] As regards the decryption, since a person who knows the prime factor p of n can transform the defining equa- 
tion of this ciphertext into a modular n relationship between points on Ep(Fp), he can efficiently compute the discrete 
55 logarithm on the elliptic curve through the use of the afore-mentioned SSA algorithm. Hence, he can efficiently deaypt 
the ciphertext. Further, it can be proved that the analysis of this public-key cryptosystem is equivalent to factoring of n 
when the elliptic curve E^ over Z/nZ, obtained by the Chinese remainder theorem from the public key n and the anom- 
alous and non-anomalous elliptic curves, and the point G are given. That is. letting the problem of factoring n for the 
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point G on the elliptic curve Ep be called a modified factoring problem (hereinafter referred to as MIFP), it is possible to 
prove that the analysis of the cryptography using the elliptic curve is equivalent to MIFR 
[0073] In the "public-key cryptosystem based on elliptic curves" according to the second embodiment, the encryption 
device comprises an exponent generation part which combines a plaintext and a random number into an exponent part 

5 for an exponentiation in En(z/nZ), and an En-exponentiator which performs an exponentiation in En(z/nZ), and the 
ciphertext generated by the Ep-exponentiator is sent over a communication line. On the other hand, the decryption 
device Comprises a mod p-reducer which transforms a point on En(Z/n2) to a point on Ep(Fp), and an SSA algorithm 
part which solves the discrete logarithm problem on Ep(Fp) for decryption of the ciphertext. 
[0074] Next, a desalption will be given of the method of construction of cryptography of the "public-key cryptosystem 

10 based on elliptic curves" and the equivalence of Its analysis to the modified factoring problem. 
[0075] The SSA algorithm will be described first which Is used for decryption. 

[0076] The discrete logarithm problem on the anomalous elliptic curve over the finite field Fp is to find meZ/pZ which 
satisfies P^mG for an Fp-rational points G and P. As referred to above, the SSA algorithm provides a solution to the 
discrete logarithm problem on the anomalous elliptic curve, and Is efficient In that the computation amount for the anom- 
15 alous elliptic curve over the finite field Fp is on the order of k^ where k Is the number of bits of the prime p. The procedure 
of this algorithm is such as listed below. 

(SSA Algorithm) 

20 [0077] 

Step 1 : Choose an elliptic curve E' which is produced by lifting E to Z and such that a homomorphism A,E' from the 
elliptic curve E(Fp) to the finite field Fp does not become non-trivial. This can be computed on the order of k^ where 
k is the number of bits of the prime p. 
25 Step 2: Compute X^ (G) and Xe'(P) through the use of the homomorphism X^' constructed In step 1 (which can be 
done on the order of k^) and compute m=X ^\Pyx ^\Q) mod p (which can be done on the order of k^). 

[0078] At any rate, the computational complexity of the SSA algorithm is on the order of k^ where k Is the number of 
bits of the prime p. This homomorphism Xe provides an isomorphism as a group from the elliptic curve E(Fp) to the finite 
30 field Fp For details about the constructing method and so on. see Literature 10. When p is equal to or smaller than 
5, this discrete logarithm problem can efficiently be solved without using the SSA algorithm. 

<Key Generation) 

35 [0079] Choose odd primes p and q arbitrarily and set n=pq. In this case, assume that the primes p and q have the 
same number of bits, which is represented by k. Next, choose an anomalous elliptic curve Ep over Fp and a non-anom- 
alous elliptic curve Eq over Fq. 

Ep:y'=x^ + apX + bp (45) 

40 

Where aq, bpcFp, 4ap ^ + 27bp ^ ^ 0 

Eq:y2=xSaqX + bq (46) 
45 where aq, bpeFq, 4aq ^ + 27bq ^ ^0 Here, 

#Ep(Fp) = P. 
#Eq(Fq):=q' = q+1-t 

50 

which are assumed to satisfy -2q^'^ <, X <, 2^^ and t^tl. q'^. The symbol # represents the number of elements of a set. 
As a method for constructing an elliptic curve with an expected order there is proposed a relatively efficient method 
which utilizes a complex muHiplication theory; in particular, the generation of the anomalous elliptic curve is described, 
for example, in Miyaji. A., "Elliptic Curve Suitable for Cryptography." lEICE Trans, Fundamentals. E76-A, 1. pp. 50-54 
55 (1993) (hereinafter referred to as Literature 13). Assume that point Gp and Gq on the elliptic curves Ep(Fp) and Eq(Fq) 
are chosen which have orders ord(Gp)=p and ord(Gq)=q'. Although the elliptic curve Eq(Fq) does not usually form a 
cyclic group, it is assumed so here for the sake of brevity. In general, it is possible to choose Eq(Fq) 
such that q* has a sufficiently large prime and select, as Qq. the point where the order is the large prime. This is followed 
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by constructing the elliptic curve on Z/nZ through the use of the Chinese remainder theorem. 

E^: = + ax + b. a,beZ/nZ. GCD(4a^ + 27b^ n) = 1 (47) 
That is. if already defined symbols are used. 

En = [Ep. Eq], a = tap. aq}. b = [bp. bj (48) 

Further, set 

G-[Gp.Gq] (49) 



Moreover, XspiGp)'^ mod p is precalculated as one of system parameters by the SSA algorithm. This value is not pub- 
lished and may be considered as one of secret keys. For simplicity, this isomorphism will hereinafter be identified by X. 
15 [0080] Accordingly, let (n, E^. G, k) be a public key and (p. q) a secret key. In this instance, Ep, Eq. Qq and X(Gp)' 
^ mod p may also be secret keys. 

(Encryption Process) 

20 [0081 ] For the plaintext m (where 0^ m <2^'^), the random number r is selected from the range of 0^<n, then m+rn 
is computed, and the dphertext C is computed as follows: 

C = (m+rn)GGEn(Z/nZ) (50) 

25 It must be noted, however, that this is the result of multiplication of the point G by m+rn through the use of an addition 
on the elliptic curve E^, and that the dphertext is a point on the elliptic curve. That is, this a set of elements of two Z/nZ. 
The dphertext could be written such that C=(C j^, C y), C^,C y e Z/nz . 



(Decryption Process) 

[0082] By performing a modular-n calculation of either side of the dphertext C defining equation (50), the solution of 
Eq. (50) is converted to the discrete logaritiim problem on the anomalous elliptic curve as follows: 

Cp-(m+rn)Gp = mGpGEp{Fp) (51) 

because rn is a multiple of the prime p and rnG mod p=0. where C=[Cp. C q] . 

[0083] Hence, the plaintext m can be obtained using tiie SSA algorithm. Actually, due to the homomorphic property 
ofl. 

40 k{C p) = X(mG p) = mA.(G p) mod p (52) 

that Is, 

msX(Cp)/MGp)modp (53) 

45 

Thus, the plaintext can be decrypted. 

[0084] With the above decryption procedure, the dphertext C is decrypted by first calculating C^Cp mod p, then cal- 
culating X(Cp). and finally perfomiing a modular-p multiplication of (Cp) and precalculatable MGp)'^ r^od p. 

50 (Proof of Security) 

[0085] By proving that tiie analysis of the "public-key cryptosystem based on elliptic curves" is equivalent to factoring 
of n based on information such as tiie public keys (n. G. k), It is proved that the public-key cryptosystem based on 
elliptic curves is secure against passive adversaries. 
55 [0086] If tiiere is available an algoritiim which factors n with non-negligible probability, a probabilistic polynomial time 
algorithm which analyzes the "public-key ayptosystem based on elliptic curves" can apparently be constructed. 
Accordingly, only the following fact will be proved. 



5/3/2005. EAST Version: 2. 0. 1.-4 



EP0924 895A2 



"If an algorithm B is available which analyzes the *pub!ic-key cryptosystem based on elliptic curves' with non-negli- 
gible probability, it is possible to construct a probabilistic polynomial time algorithm for factoring n" 

[0087] What is intended to mean by the "algorithm for facotring n with non-negligible probability" is an algorithm which 
5 ensures factoring of n by repeatedly applying the algorithm on the order of a polynomial using the number of bits of the 
input n as a variable. The same holds true in the following description (see Literature 12 for its strict definition). 
[0088] Actually, it is possible to prove that the difference between the distribution of z nrxxl LCM(p-1 , q-1), where n is 
a composite number (=pq) and z is randomly selected from Z/nZ, and the distribution of m-Kn mod pq' for nrnrn. which 
appears in the enayptiorr procedure of the public-key cryptosystem according to the present invention is negligible. For 
10 this reason, the algorithm B recognizes that C calculated by C=zG€ E p(Z/nZ) , where z is randomly selected from Z/nZ. 
is a ciphertext with non-negligible probability, and the algorithm B outputs a plaintext Zq corresponding to C. Now, since 
the probability that z is a number in the range of z<2^'^ is negligible, it may be set such that z^*^'^ with non-negligible 
probability. In this case, Z^Zq (mod p) does not hold, and z^Zo (mod n) does not hold because of Zo<2'^'V Accordingly, 
the calculated value of GCDCz-z^, n) becomes p. permitting factoring of n. Thus, it is possible to factor n in a time on the 
15 order of probabilistic polynomial using its bit number as a variable. 

(Concrete Examples) 

[0089] Next, a description will be given of an embodiment of the "public-key ayptosystem based on elliptic curves." 
20 [0090] In Fig. 8 there is illustrated in block form the cryptosystem according to the second embodiment of the inven- 
tion. An encryption device 400 and a decryption device 500 are connected via a communication line 600. The encryp- 
tion device 400 has an exponent generation part 410 and Ep-exponentiator 420. The decryption device 500 has a mod 
p-reducer 510 and an SSA algorithm part 520, 

[0091 ] In the first place, the encryption process in the encryption device 400 will be described below. A detailed con- 
25 figuration of the exponent generation part 410 in the encryption device 400 is depicted in Fig. 9A. Upon receiving a 
plaintext (m) from a user of the encryption device 400, the exponent generation part 410 generates a random nunnber 
reZ/nZ by a random generator 41 1 , and inputs the random number r into a multiplier 412. The multiplier 412 calculates 
rn and provides it to an adder 413.to calculate nvi-rn. which is fed into the Ep-exponentiator 420 to generate a ciphertext 
C=(m+rn)G . 

30 [0092] Next, the decryption process in the decryption device 500 will be described below. A detailed configuration of 
the SSA algorithm part 520 in the decryption device 500 is depicted in Fig. 9B. Upon receiving the ciphertext (C) from 
the communication line 600, the mod p-reducer 510 in the decryption device 500 calculates Cp=C mod P EEp(Fp) , 
and inputs Cp into the SSA algorithm part 520. As depicted in Fig. 9B. upon receiving Cp from the mod p-reducer 510, 
the SSA algorithm part 520 provides it to a logarithm calculator 521 to calculate X{C^ using the isomorphism X and the 

35 prime p. and inputs the calculation result into a multiplier 522. which calculates ^(C p)xX(G p) mod p using precalcu- 
lated X[G p) mod p . The SSA part 520 outputs the thus obtained value as a decrypted plaintext m. 
[0093] The encryption and decryption procedures by the encryption device of the second embodiment, shown in Figs. 
8. 9A and 9B, may be innplemented by recording the procedures as programs on a recording medium and reading it out 
for execution by a computer. 

40 [0094] As described previously, the encryption and decryption procedures by the encryption and decryption devices 
of the above-described first and second embodiments may be stored on a recording medium as computer-executable 
programs on a recording medium so that they are read out for execution as desired. In such an instance, the encryption 
and decryption devices are implemented, for example, as an ordinary computer 10 composed of a control unit (CPU) 
■^1 1 , a hard disk 1 2, a RAM 13 and I/O interface 14 interconnected via a bus 1 5 as shown in Fig. 1 0. The enayption pro- 

45 gram and the decryption program are prestored. for example, on the hard disk 12 used as a recording medium, and the 
CPU 1 1 uses the RAM 13 as a work area for processing and performs the aforementioned various operations following 
the programs. In the case of the encryption device, the plaintext m to be encrypted is input thereinto via the I/O interface 
1 4 from the user and the ciphertext C is output via the I/O interface 1 4. In the case of the decryption device, the cipher- 
text C is input thereinto via the 1/0 interface 14 and the decrypted plaintext m is output. The recording medium for stor- 

50 ing such encryption and decryption programs may be an external recording medium 16 connected to the computer 10 
as indicated by the broken lines in Rg. 10. 

EFFECT OF THE INVENTION 

55 [0095] The table of Fig. 1 1 give a comparison of the cryptosystem of the first embodiment of the present invention 
and typical common-key cryptosystems considered practical at present. RSA. Rabin and ElGamal schemes, in terms 
of the computational complexities involved in encryption and decryption and security. The computation amounts are 
estimated using, as one unit, a modular multiplication with a natural number of 1024 bits. The parameter used in RSA 
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is e=2^^+1 and the random number used in EIGamal Is about 130-bit. As for security, the dout)le circle indicates that 
equivalence to the basic problem (the factoring problem or discrete logarithm problem) is provable; the white circle "O** 
indicates that equivalence to a problem (the afbre-mentioned p subgroup problem, for instance), which is a little easier 
than the basic problems, is provable; the cross "x" indicates that equivalence to the basic problems is not provable; and 
5 the question mark Indicates that equivalence to the basic problems has not been proved. 

[0096] From the table of Fig. 11 it is evident that the public-key cryptosystem according to the present invention is a 
practical cryptosystem which has the same processing speed as that of the conventional public-key cryptosystems and 
achieves a high level of security. 

[0097] As desaibed above, according to the present invention, a novel public-key cryptosystem which is provably 
10 secure against passive adversaries and chosen ciphertext attacks can be constructed based on the assumption of 
intractability of the facotring problem. At present, it is said that the cryptosystem is sufficiently secure with a minimum 
number of about 1024 bits for n; that is. p and q need only to have 340 bits. For example, in this case, if the plaintext m 
is 250-bit, it is practical to increase it by 80 bits to obtain M of 330 bits. Furthermore, the conputation amounts for both 
of the enayption and decryption are on the order of k^, where k is the number of bits of the public key n. These rom- 
15 putation amounts are about the same as those of the conventional typical public-key cryptosystems; hence, the public- 
key cryptosystem of the present invention is very practical. Besides, since the cryptosystem of the present invention can 
be said to be secure against passive adversaries and chosen ciphertext attacks based on the assumption that the fac- 
toring problem is intractable, it is assured that the cryptosystem of the present invention is nriore secure than the RSA 
cryptosystem regarded as the most powerful at present 

20 

Claims 

1 . An encryption device for a public-key cryptosystem comprising: 

25 exponent generating means for generating an exponent by combining an input plaintext m and a random 

number r; and 

exponentiating means for generating a ciphertext by exponentiating a second public key g with said exponent 
in a modular-n reduced residue class group, where said n is a first public key which is a composite number. 

30 2. The encryption device of claim 1 , wherein, letting p and q be odd primes having the same number of bits, said first 
public key n is n=p2q and said second public key g is selected from a modular-n reduced residue class group 
(Z/nZ)* such that g p=g ^"^ mod p^ has an order of p in (Z/p^Z)*. 

3. The encryption device of claim 1 or 2, wherein said exponent generating means comprises a multiplier for multlply- 
35 ing said random number r and said first public key n and for outputting the multiplication result rn. and an adder for 

adding said multiplication result rn and said plaintext m and for outputting the addition result m+rn as said expo- 
nent. 

4. The encryption device of claim 1 , wherein said exponent generating means comprises: 

40 

h-function operating means for transforming said plaintext m to h{m) through calculation with a hash function; 
bit concatenating means for concatenating said h(m) and said plaintext m to obtain a value M=m||h(m): 
random generating means for generating said random number r; 
multiplying means for multiplying said random number r and said first public key n; and 
45 adding means for adding the multiplication result rn and said plaintext m to provide the addition result as the 

output from said exponent generating means. 

5. The encryption device of claim 4. wherein, letting said p and q be odd primes having the same number k of bits, 
said first public key n is n=p^q, said second public key g is selected from a modular-n reduced residue class group 

50 (Z/nZ)* such that gp^g*^*^ mod p^ has an order of p in the number of bits of said h(m) is k-ko-1 where 

0<ko<K and the number of bits of said plaintext m is Ko- 

6. The enayption device of claim 1 . wherein said exponent generating means comprises: 

55 random generating means for generating said random number r; 

bit concatenating means for concatenating said m and said random number to obtain a value Msm||r; 
h-function operating means for transforming said value M to R:=h(M) through calculation with a hash function; 
multiplying means for multiplying said R and said first public key n; and 
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adding means for adding the multiplication result Rn and said M to provide the addition result as the output 
from said exponent generating means. 

7. The encryption device of claim 6, wherein, letting said p and q be odd primes having the same number k of bits, 
5 said first public key n is p^q. said second public key g is selected from a modular-n reduced residue class group 

(Z/nZ)* such that gp=g^^ mod p2 has an order of p in (Z/p^Z)*. the number of bits of said random number r is k- 
ko-1 where 0<ko<K and the number of bits of said plaintext m is ko. 

8. A decryption device for a public-key cryptosystem comprising: 

10 

r-transform means for transforming, through the use of a first secret key, an input ciphertext C to an element 
Cp of a modular-n reduced residue class group, where said n is a first public key which is a composite number; 
and 

discrete logarithm solution means for solving a discrete logarithm in said transformed element Cp through the 
15 use of a second secret key. 

9. The decryption device of claim 8. wherein let p and q be odd primes. n=p^q. said input ciphertext C be an integer 
in the range of 0<C^ and prime to said n. said p be said first secret key and said n be said first public key. and 
wherein said r-transfbrm means comprises: 

20 

P^-reducing means for calculating C mod p^G(Z/p^Z)* : and 

transform means for performing a modular-p^ exponentiation of the calculation result C mod p^ with p-1 to 
obtain said element Cp.' 

25 1 0. The decryption device of daim 8 or 9, wherein let said first secret key p an odd prime and gp and said Cj, be inte- 
gers in the ranges of 0<gp and Cp<p^ and satisfying gp^Cp^l (modp) and gp;tl (modp ), and 
[(g p-1)/)D] mod p be said second secret key. and wherein said discrete logarithm solution means conprises: 

logarithm calculating means supplied with said element Cp, for calculating L(Cp)=(Cp-1)/p ; and 
30 multiplying means for performing a modular multiplication of the calculation result L(C^ and said second secret 

key [(g p-"! Vp] ^ p with said p and for outputting a decrypted plaintext. 

11. The decryption device of claim 8, which, letting k be the number of bits of said odd prime p where 0<ko<K further 
comprises means for outputting, as a decrypted plaintext high-order ko bits of the solution of said discrete loga- 

35 rithm solution means. 

1 2. The decryption device of claim 1 1 , wherein let p and q be odd primes, n=p ^q . said input ciphertext C be an integer 
in the range of 0<C<n and prime to said n, said p be said first secret key and said n be said first public key, and 
wherein said r-transform means comprises: 

40 

p^ -reducing means for calculating C mod p^€(Z/p^Z)* ; and 

transform means for performing a modular-p^ exponentiation of the calculation result C mod p^ with p-1 to 
obtain said element Cp. 

45 1 3. The decryption device of claim 12. wherein let said first secret key p an odd prime and gp and said Cp be integers 
in the ranges of 0<gp and Cp<p2 and satisfying gp= Cp=1 (modp) and gp^tl (modp^),and l(gp-1)/p]'^ modp 
be said second secret key. and wherein said discrete logarithm solution means comprises: 

logarithm calculating means supplied with said element Cp, for calculating L(Cp)=(Cp-1)/jp ; and 
50 multiplying means for performing a modular multiplication of the calculation result L(C^ and said second secret 

key [(g'1)/ip] mod p witii said p and for outputting a decrypted plaintext. 

14. A recording medium on which there is recorded a program for executing an encryption process of an enayption 
device through the use of first and second public keys n and g. wherein said program comprises: 

55 

an exponent generating step, of generating an exponent by combining an input plaintext m and a random 
number r; and 

an exponentiating step of generating a ciphertext C by exponentiating said second public key g with said expo- 
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nent in a modular-n reduced residue class group, where said n is said first public key which is a composite 
number. 

1 5. The recording medium of claim 1 4, wherein said exponent generating step of said program comprises the steps of: 

5 

generating said random number r; 

multiplying said random number r and said first public key n; and 

adding the multiplication result rn and said plaintext m and outputting the addition result m+rn as said expo- 
nent; and 

10 wherein said ciphertext C generating step is a step of generating said ciphertext C by performing a modular-n 

exponentiation of said public key g with said addition result m+rn, where said n is said first public key. 

1 6. The recording medium of claim 14 or 15. wherein, letting p and q be odd primes having the same number of bits, 
said f init public key n is p^q and said second public key g is selected from a modular-n reduced residue class group 

15 (Z/nZ)* such that g p=g'**^ mod p^ has an order of p in (Z/p^Z)*. 

17. The recording medium of claim 14. wherein said exponent generating step comprises the steps of: 

generating said random number r; 
20 multiplying said random number r and said first public key n; 

transforming said plaintext m to h(m) through calculation with a hash function; 
bit concatenating said h(m) and said plaintext m to obtain value M=m||h(m]; 
and 

adding the multiplication result rn and said value M and outputting the addition result M+rn as said exponent: 

25 and 

wherein said ciphertext C generating step is a step of generating said ciphertext C by performing a modular-n 
exponentiation of said public key g with said addition result M+rn. where said n is said first public key. 

1 8. The recording medium of claim 1 7, wherein, letting p and q be odd primes having the same number k of bits, said 
30 first public key n is p^q. said second public key g is selected from a modular-n reduced residue class group (Z/nZ)* 

such that gp=g ^'^ mod p^ has an order of p in (Z/p^Z)*, the number of bits of said h{m) is k-ko-1 where 0<ko<k. 
and the number of bits of said plaintext m is k^. 

1 9. The recording medium of claim 1 4, wherein said exponent generating step of said program comprises the steps of: 

35 

generating said random number r; 

bit concatenating said random number r and said first public key n to obtain a value Msn||r; 
transforming said value M to R=h(M) through calculation with a hash function h; 
multiplying said value R and said first public key n; and 
40 adding the multiplication result nR and said value M and outputting the addition result M+nR as said exponent; 

and 

wherein said ciphertext C generating step is a step of generating said ciphertext C by performing a modular-n 
exponentiation of said public key g with said addition result M+nR. where said n is said first public key. 

45 20. The recording medium of claim 19. wherein, letting p and q be odd primes having the same number k of bits, said 
first public key n is p^q, said second public key g is selected from a modular-n reduced residue class group (Z/nZ)* 
such that gp=g^'^ mod p^ has an order of p in {2Jft^Z)\ the number of bits of said random number r is k-ko-1 
where 0<ko <k. and the number of bits of said plaintext m is K>. 

50 21, A recording medium on which is recorded a program for executing a decryption process of a decryption device 
through the use of first and second public keys n and g. wherein said program comprises: 

a r-transforming step of transforming, through the use of a first secret key. an input ciphertext C to an element 
Cp of a modular-n reduced residue class group, where said n is said first public key which is a composite 
55 number; and 

a discrete logarithm solving step of solving a discrete logarithm In said transformed element Cp through the use 
of a second secret key. 
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22. The recording medium of claim 21 on which is recorded a program for executing a decryption process, wherein let 
p and q be odd primes. n=p^q. said input dphertext C be an integer in the range of 0<C<n and prime to said n. and 
wherein said r-transfbrming step in said program comprises the steeps of: 

calculating an element of a modular-p^ reduced residue dass group. C mod p^. for said input ciphertext C; and 
performing a modular-p^ exponentiation of the calculation result C mod p^ with p-1 to obtain said element Cp. 

23. The recording medium of daim 21 or 22 on which is recorded a program for executing a decryption process, 
wherein let gn and said Cp be integers in the ranges of 0<^ and Cp<p^ and satisfying gp» Cp^l (modq) and 
QpTti (mod p ) . and said second secret key be I(gp-1)/p]' mod p, and wherein said disaete logarithm solving 
step in said program comprises the steps of: 

calculating (C p -1 )/p through the use of said Cp and said p; and 

performing a modular-p multiplication of the calculation result (Cp-1)/p by said second secret key to obtain a 
decrypted plaintext. 

24. The recording medium of daim 21 on which is recorded a program for executing a decryption process, wherein, 
letting k be the number of bits of said odd prime p and 0<ko<K said program further comprises a step of outputting, 
as a decrypted plaintext, high-order ko bits of the solution obtained by said discrete logarithm solving step. 

25. The recording medium of claim 24 on which is recorded a program for executing a decryption process, wherein let 
p and q be odd primes. n=p^q, said input ciphertext C be an integer in the range of 0<C<n and prime to said n, said 
p be said first secret key and said n be said first public key. and wherein said r-transform step in said program com- 
prises: 

p^-reducing step for calculating C mod p^e(Z/jD^Z)* ; and 

transform step for performing a modular-p^ exponentiation of the calculation result C mod p^ with p-1 to obtain 
said element Cp. 

26. The recording medium of claim 25 on which is recorded a program for executing a decryption process, wherein let 
said first secret key p an odd prime and Qp and said Cp be integers in the ranges of 0<gp and Cp<p^ and satisfying 
gpB Cpol (mod p) and g^^^ (mod p ) . and [(gp-l)/p]"^ mod p be said second secret key, and wherein said 
discrete logarithm solution step comprises: 

logarithm calculating step for calculating L(Cp)=(Cp-1)/p for said element Cp; and 

multiplying step for performing a modular multiplication of the calculation result L(Cp) and said second secret 

l^ey [(g p' 1 yp] ^ rnod p with said p and for outputting a decrypted plaintext. 

27. An encryption device for a public-key cryptosystem comprising: 

exponent generating means for generating an exponent by combining an input plaintext and a random number; 
and 

exponentiating means for generating a ciphertext by performing a modular exponentiation of a second public 
key with said exponent in an elliptic curve over a modular residue class ring with a first public key which is a 
composite number. 

28. A decryption device for a public-key cryptosystem conprising: 

reducing means for transforming an input ciphertext to an element Cp of an elliptic curve over a finite field; and 
SSA algorithm means for calculating a discrete logarithm for said element Cp and for outputting a decrypted 
plaintext. 

29. The decryption device of claim 28, wherein, letting p be an odd prime larger than 5. Ep be an elliptic curve over a 
finite f ieW Fp and having a number p of Fp-rational points, said Fp-rational points be non-infinite points Gp and Cp, 
and X.(Gp)"^ mod p be a secret key, said SSA algorithm means comprises: 

logarithm calculating means supplied with said element Cp^ said elliptic curve Ep and said function A., for calcu- 
lating X(Cp); and 
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multiplying means supplied with said X(Cp) and said secret key. for performing a nxxJular multiplication of said 
X(Cp) and said secret key with said p and for outputting said decrypted plaintext. 

30. A recording medium on which there is recorded a program for executing an encryption process of an enayption 
5 device which uses an elliptic curve over a modular-n residue ring where said n is obtained by the Chinese remain- 
der theorem from a public key. an elliptic curve Ep over a finite field Fp having a number p of Fp-rational points and 
an elliptic curve Eq over a finite field Fq having a number q of Fq-rational points, said program comprising: 

a step of generating a random number r; 
10 a step of multiplying said random number by said public key n; 

a step of adding the multiplication result rn and an input plaintext m; and 

a step of generating a dphertext by performing a modular exponentiation of a second public key with said expo- 
nent in an elliptic curve over a modular residue ring with a first public key which is a connposlte number. 



15 31. A recording medium on which there is recorded a program for executing a decryption process of a decryption 




20 a step of performing a modular-p transformation of said input dphertext C to one element Cp of said elliptic 

curve Ep over said finite field Fp, where p is said odd prime; 

a step of obtaining X{Cp) by calculating, for said element Cp, an isomorphism function X from E(Fp) to Fp; and 
a step of outputting a decrypted plaintext by performing a modular-p multiplication of said X(Cp) and said secret 
key, where p is said odd prime. 
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